The sciences of the artificial (3rd ed.)
The sciences of the artificial (3rd ed.)
Effects of communication latency, overhead, and bandwidth in a cluster architecture
Proceedings of the 24th annual international symposium on Computer architecture
Model checking
Time, clocks, and the ordering of events in a distributed system
Communications of the ACM
Symbolic execution and program testing
Communications of the ACM
A Discipline of Programming
Code-Red: a case study on the spread and victims of an internet worm
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
An Automata-Theoretic Approach to Presburger Arithmetic Constraints (Extended Abstract)
SAS '95 Proceedings of the Second International Symposium on Static Analysis
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
ReVirt: enabling intrusion analysis through virtual-machine logging and replay
ACM SIGOPS Operating Systems Review - OSDI '02: Proceedings of the 5th symposium on Operating systems design and implementation
Proceedings of the 30th annual international symposium on Computer architecture
When Virtual Is Better Than Real
HOTOS '01 Proceedings of the Eighth Workshop on Hot Topics in Operating Systems
Time-lock Puzzles and Timed-release Crypto
Time-lock Puzzles and Timed-release Crypto
Terra: a virtual machine-based platform for trusted computing
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Honeycomb: creating intrusion detection signatures using honeypots
ACM SIGCOMM Computer Communication Review
Malicious Cryptography: Exposing Cryptovirology
Malicious Cryptography: Exposing Cryptovirology
Proceedings of the 2004 ACM workshop on Rapid malcode
Detecting Kernel-Level Rootkits Through Binary Analysis
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Minos: Control Data Attack Prevention Orthogonal to Memory Model
Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture
The Art of Computer Virus Research and Defense
The Art of Computer Virus Research and Defense
Semantics-Aware Malware Detection
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Remote Physical Device Fingerprinting
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Deconstructing Commodity Storage Clusters
Proceedings of the 32nd annual international symposium on Computer Architecture
Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems
Proceedings of the twentieth ACM symposium on Operating systems principles
Detecting past and present intrusions through vulnerability-specific predicates
Proceedings of the twentieth ACM symposium on Operating systems principles
Scalability, fidelity, and containment in the potemkin virtual honeyfarm
Proceedings of the twentieth ACM symposium on Operating systems principles
On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits
Proceedings of the 12th ACM conference on Computer and communications security
Misbehaving TCP receivers can cause internet-wide congestion collapse
Proceedings of the 12th ACM conference on Computer and communications security
To infinity and beyond: time warped network emulation
Proceedings of the twentieth ACM symposium on Operating systems principles
Siren: Catching Evasive Malware (Short Paper)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
SubVirt: Implementing malware with virtual machines
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
A Safety-Oriented Platform for Web Applications
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Virtual Machines: Versatile Platforms for Systems and Processes (The Morgan Kaufmann Series in Computer Architecture and Design)
HOTOS'05 Proceedings of the 10th conference on Hot Topics in Operating Systems - Volume 10
Static analysis of executables to detect malicious patterns
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Static disassembly of obfuscated binaries
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Behavior-based spyware detection
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
An email worm vaccine architecture
ISPEC'05 Proceedings of the First international conference on Information Security Practice and Experience
A Smart Fuzzer for x86 Executables
SESS '07 Proceedings of the Third International Workshop on Software Engineering for Secure Systems
Proceedings of the 2008 workshop on New security paradigms
Automated classification and analysis of internet malware
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
The power of procrastination: detection and mitigation of execution-stalling malicious code
Proceedings of the 18th ACM conference on Computer and communications security
| Hi-index | 0.00 |
Worms, viruses, and other malware can be ticking bombs counting down to a specific time, when they might, for example, delete files or download new instructions from a public web server. We propose a novel virtual-machine-based analysis technique to automatically discover the timetable of a piece of malware, or when events will be triggered, so that other types of analysis can discern what those events are. This information can be invaluable for responding to rapid malware, and automating its discovery can provide more accurate information with less delay than careful human analysis.Developing an automated system that produces the timetable of a piece of malware is a challenging research problem. In this paper, we describe our implementation of a key component of such a system: the discovery of timers without making assumptions about the integrity of the infected system's kernel. Our technique runs a virtual machine at slightly different rates of perceived time (time as seen by the virtual machine), and identifies time counters by correlating memory write frequency to timer interrupt frequency.We also analyze real malware to assess the feasibility of using full-system, machine-level symbolic execution on these timers to discover predicates. Because of the intricacies of the Gregorian calendar (leap years, different number of days in each month, etc.) these predicates will not be direct expressions on the timer but instead an annotated trace; so we formalize the calculation of a timetable as a weakest precondition calculation. Our analysis of six real worms sheds light on two challenges for future work: 1) time-dependent malware behavior often does not follow a linear timetable; and 2) that an attacker with knowledge of the analysis technique can evade analysis. Our current results are promising in that with simple symbolic execution we are able to discover predicates on the day of the month for four real worms. Then through more traditional manual analysis we conclude that a more control-flow-sensitive symbolic execution implementation would discover all predicates for the malware we analyzed.